Update Distribution Point for Multiple Subnets

I got some issue at my customer that using SEP 11 RU 6, currently they have many sites, and for each of their sites, there are more than 4 subnets, currently they are using GUP for the update distribution point, the challenges are:

The user at sites, are NOT ALLOWED to update the definition to the SEPM at HQ or to the INTERNET directly, so that we have to fully utilized the distributed update points (SEPM version upgrade are not an option in this case)

1. As we know, GUP only serving 1 subnet, so that to handle multiple subnet, we have to deploy multiple GUP

The operational team only want to establish maximum up to 2 distribution update point (which mean, if there are 4 subnets, it is not possible to cover the rest of the subnets)

2. we are looking for another option, LUA

But as we know, LUA is downloading an enormous product updates which is contain not only SEPM content, which can cause a huge amount of downloading traffic, any info how to modified LUA so that it can download only SEPM content (incrementally)?

3. or we have to deploy additional SEPM to facilitate this issue?

Need your advice on the best distribution update scenario for this issue :)

What is Taking Up So Much Space?

LUA 2.x can locally mirror everything that is on Internet-based LiveUpdate source servers. That is an enormous amount of materials. A common misconfiguration is just to "check" the entire product family when determining what LUA will download and distribute.

The good news is that LUA allows excellent granularity. If, for example, a company only uses the AntiVirus capabilities of SEP in their organization, LUA can be configured to download just the AV contents- saving many, many GB worth of materials that would never be used. Here is an illustration of what to check (and leave unchecked!) in an organization of 32-bit SEP clients which retrieve their AV defs directly from the LUA server:

So at that point, now it is possible to make LUA only downloading SEP clients content update only?

1. As we know, GUP only serving 1 subnet, so that to handle multiple subnet, we have to deploy multiple GUP

A GUP can provide content to more than one subnet. Either you have to use a Single GUP, defined by IP address or hostname, or (if you are using multiple GUPs) you define a backup GUP which can accessed by all clients.

See this document:

Understanding and Identifying the different Group Update Provider (GUP) Options in SEP 11.0.5 RU5 and Later

the scenario will be (for eg the subnets will be : 10.1.1.x, 10.1.2.x, 10.1.3.x, 10.1.4.x) :

1. i will create new live update policy that will be applied to the client at one of the site (with multiple subnets)

2. i will choose the multiple GUP providers

3. i will assign one of the GUP (for example the ip 10.1.1.1)

4. i will put the OPTIONAL GUP (for example the ip 10.1.2.1) - different subnet with the first one

5. the client with the subnet other than subnet 10.1.1.x will able to download the update from the OPTIONAL GUP at 10.1.2.1

Exactly. That should work.

(Small?) drawback is that clients in three subnets first try to find a GUP in their subnet (and fail) and then use the backup GUP.

Another solution (don't know if it fits better in your environment):

Define two Single GUPs, A and B.

Then create the four groups, G1, G2, G3, and G4 (one for each subnet).

Assign the LU policy with GUP A to the groups G1 and G2.

Assign the LU policy with GUP B to the groups G3 and G4.

Additionally, you can establish GUP B as backup GUP for G1 and G2 by defining an additional location for G1 and G2. If the regular GUP A is down (can be checked by the ICMP request condition), the clients in G1 and G2 will change their location and then use a LU policy with GUP B.